Hi guys, I have some websites on wordpress (some updated other not). A few days ago some of my website are hacked with some injection i would install a waf (software) like mod security of apache but I read that mod security block some ispconfig function. Can anyone suggest me any others? Or any ispconfig-compatible security mod configurations?
One of my main advices is to use chrooted PHP-FPM. You can enable this by default for new sites and enable it for existing sites under the Options tab of each site. This will make sure that all sites run in their own jail so if one site is infected, it can't spread through your whole server.
wow, I thought it was root jailed by default, every site (so webX) is jailed on your /var/www/webxxx/ by default, isn't it? I will check it but anyway I would use an linux waf or mod apache (like mod security) jail root ok but i would like prevent attack on every single site. For now I use fail2ban but i can't make it a lot of ban config for several cases;
The PHP process is usually not jailed to that one site, unless you use chrooted PHP-FPM. I am planning to write some more information on that soon.
Every site runs as a different user, but php-fpm is not jailed by default as many users would fail using it as you e.g. can't connect to mysql on localhost anymore as the socket is outside of the jail, you must connect by IP then. You can use mod_security on an ISPConfig system. Mod_security will always block some needed functions, can be in your website or in other applications. therefore you must monitor it and whitelist certain things for specific websites or apps. Or disable it for certain vhosts like ispconfig completely.
I didn't find any guide to enable or install php fpm as chroot (on this forum there are many topic but nothing that explain how to install). For security reason I configure bind on localost for mysql but i can change to local ip. So you recommend using mod security and then tuning and hardenizing it?
There is no guide or installation needed. Its a simple checkbox on the options tab of the website. I'm not using it on any of my current servers. I used it on a few systems for about 10 years ago. I would use it only if I had to host websites that are unmaintained and do not get updates anymore. For all other sites, it's way better and more secure to simply install WP updates and WP plugin updates regularly to prevent them from getting hacked.
thanks, I enabled phpfpm chroot, the mysql problem I solved changes the bind address from localhost to ip..but now I have a strange problem with datatime, php doesn't recognize the time zone..we can solve these problems by putting in the chroot folder (/var/www/clients/clientX/webY/ correct?) a path like /usr/share/zoneinfo/Europe but I can't create a folder on that folder even with root. [Wed Apr 10 09:50:11.095390 2024] [proxy_fcgi:error] [pid 24187] [client 212.189.160.2:58021] AH01071: Got error 'PHP message: PHP Fatal error: Uncaught Exception: DateTimeZone::__construct(): Unknown or bad timezone (Europe/Rome) in /web/wp-includes/script-loader.php:422\nStack trace:\n#0 /web/wp-includes/script-loader.php(422): DateTimeZone->__construct()\n#1 /web/wp-includes/script-loader.php(677): wp_default_packages_inline_scripts()\n#2 /web/wp-includes/class-wp-hook.php(324): wp_default_packages()\n#3 /web/wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters()\n#4 /web/wp-includes/plugin.php(565): WP_Hook->do_action()\n#5 /web/wp-includes/class-wp-scripts.php(166): do_action_ref_array()\n#6 /web/wp-includes/class-wp-scripts.php(149): WP_Scripts->init()\n#7 /web/wp-includes/functions.wp-scripts.php(24): WP_Scripts->__construct()\n#8 /web/wp-includes/functions.wp-scripts.php(368): wp_scripts()\n#9 /web/wp-includes/class-wp-admin-bar.php(72): wp_enqueue_script()\n#10 /web/wp-includes/admin-bar.php(49): WP_Admin_Bar->initialize()\n#11 /web/wp-includes/class-wp-hook.php(324): _wp_admin_bar_init()\n#12 /web/wp-inclu...',
Adding directory to jail is done with the jailkit commands. You should paste log text in CODE tags, then it would be more readable.
